SASE: The New Baseline for Modern Enterprise Security

From MPLS and Data Centers to Everywhere-Access

In the traditional model, traffic from branches, campuses, and remote sites all funneled through MPLS back to the data center. Once inside, firewalls, proxies, IDS/IPS systems, and VPN appliances inspected, filtered, and controlled access.

It looked something like this:

• Private apps in the data center
• Dual data centers for failover
• MPLS circuits connecting every site
• Remote users tunneling in through VPN
• SaaS apps used sparingly, if at all

But then the world shifted. Users left the building. Apps moved to Azure, AWS, GCP, and SaaS platforms like Microsoft 365 and Salesforce. Work happened on home Wi-Fi, Starbucks Wi-Fi, and everything in between. The traffic that once flowed through your perimeter now bypassed it completely. The castle didn’t fall. It simply became irrelevant.

Why Performance Fell Apart

As SaaS adoption grew, something predictable happened. Branch users started complaining about latency. CFOs started complaining about MPLS bills. And IT was stuck maintaining systems that no longer aligned with how work was getting done.

Traffic from a branch user accessing Salesforce might:

1. Travel to the data center through MPLS
2. Hit every security device in the stack
3. Go back out to the internet
4. Reach Salesforce
5. Reverse the entire path on the way back

A process that should’ve been simple became a bottleneck. That’s when the industry accepted a tough truth: Security anchored to a physical data center can’t keep up with a cloud-first workforce.

SASE: A New Architectural Foundation

In 2019, Gartner introduced SASE—Secure Access Service Edge—recognizing a clear need to merge networking and security in a cloud-delivered model. A year later, NIST published its Zero Trust Architecture guidance, reinforcing the idea that trust must be verified continuously, not assumed based on location. Then COVID hit, and the entire shift accelerated.

SASE brings together two things:

1. SD-WAN: The connectivity engine—multiple links, intelligent routing, improved performance, reduced cost.

2. Security Service Edge (SSE): Cloud-delivered security services that sit close to the user and application, not stuck in the data center:

• Secure Web Gateway (SWG)
• Zero Trust Network Access (ZTNA)
• Cloud Access Security Broker (CASB)
• Firewall-as-a-Service
• Remote Browser Isolation (RBI)
• Data Protection / DLP
• DNS security and digital experience monitoring

These services run in one unified pass in the cloud, inspecting and validating traffic without hairpinning to the data center. A branch user accessing Salesforce? One efficient path. A remote engineer logging in for a maintenance window? Same experience—secure, identity-based, and free of VPN headaches.

This is why SASE works. It brings network and security controls to the same place users already are.

Why Identity Matters More Than Ever

Organizations often want to jump straight to SD-WAN or ZTNA. But none of it performs well unless identity is rock solid. If every user, intern to CEO, gets the same level of access, SASE loses its value instantly. Identity is the anchor.

You need:

• Clean AD or Entra ID (Azure AD) structures
• Strong MFA
• Clear role-based access
• Privileged access controls
• Solid NAC or 802.1X hygiene

Skipping this step creates blind spots, inconsistent access, and misaligned enforcement. Getting identity right makes the entire security stack smarter, faster, and more effective.

SASE Is Not a “Flip the Switch” Moment

A successful SASE rollout isn’t a big-bang overhaul; it’s a phased transformation. You move toward it as contracts renew, as hardware ages out, and as the business grows more distributed. You evaluate what you have, identify gaps, and choose whether a platform or best-of-breed model works for your organization.

What matters is consistency, which is why so many companies now treat SASE as the new foundation rather than an optional upgrade. SASE isn’t the finish line. It’s the new baseline.

Where Most Organizations Start

Based on the conversations ANM has with engineering teams, security leaders, and IT executives, companies usually begin with one of three entry points:

1. Replace VPN with ZTNAThe lift is big, but the payoff is huge. Less friction. More control. Better visibility.No split tunneling, no overloaded concentrators, no collapsing VPN infrastructure.

2. Local internet breakout with SD-WANReduces cost, improves performance, and sets the stage for cloud-delivered security.

3. Cloud-first security stackFirewall-as-a-service, SWG, CASB, or DLP—any of these pieces can be the starting point.

Once identity is in order, the transition becomes far smoother.

Where ANM Can Help

If you’re evaluating how to move from legacy perimeter models to cloud-delivered security, ANM offers two hands-on workshops to help you build the right roadmap:

Zero Trust Architecture Workshop: A whiteboard-driven session that gives you a practical roadmap, maturity assessment, and recommended next steps based on your environment.

Identity Access Management Workshop: A focused review of MFA, SSO, privileged access, governance, and identity hygiene—critical building blocks for SASE success.

Both sessions are designed to help teams understand their current state, define what “good” looks like, and identify the fastest path forward.

If this resonated and you want a deeper walkthrough with diagrams and real-world examples, watch our recent on-demand webinar. It breaks down each concept with clarity and real engineering insight.

Watch the webinar: Let’s Get SASE